C. Amendments to the Claims 



1 1 . (Currently Amended) A network storage architecture supporting securely 

2 controlled access and bidirectional transfer of data between a client computer 

3 system and a network data store, said network storage architecture comprising: 

4 a) an agent program; executed on a client computer system and t operative 

5 with respect to an application program , exec u table b y s a i d c l ie nt c o m p u ter syst em 

6 to a cc e ss a n et w o rk d ata s tore , to develop authentication data with respect to 

7 said application program , wherein said application program, as executed by said 

8 client computer system, is operative to perform o non-sequential request for the 

9 transfer of a first predetermined sub-portion of a predetermined file stored by a 

10 network data store, said authentication data including a representation of said 

1 1 non-sequential request ; and 

12 b) a network appliance, coupleable through a communications network to 

13 said client computer system, interoperable with said agent program to receive and 

1 4 validate said authentication data, said network appliance determining selectively 

1 5 pr ovi d i ng a r e s p o n se m e ssa ge to s a id ag e n t progra m to control execution of said 

16 application program with respect to the performance of said non-sequential 

17 request by enabling encrypted transfer of a second predetermined sub-portion of 

18 said predetermined file, inclusive of said first predetermined sub-portion, with 

19 respect to said network data store . 

1 2. (Currently Amended) The network storage architecture of Claim 1 wherein 

2 said authentication data includes user and user session data. 

1 3. (Original) The network storage architecture of Claim 2 wherein said 

2 authentication data includes a secure signature of said application program. 

1 4. (Original) The network storage architecture of Claim 1 wherein said agent 

2 program is operative to obtain user authentication and collect data with respect 

3 to user sessions and processes to develop said authentication data. 



Attorney Docket No.: AESN3008Conl 

Obr/aesn/3008con1 .004.resp1 .wpd 



Page 5 



1 5. (Original) The network storage architecture of Claim 4 wherein said agent 

2 program is further operative to generate a secure signature of said application 

3 program and provide said secure signature as part of said authentication data. 

1 6. (Original) The network storage architecture of Claim 1 wherein said 

2 network appliance includes a policy parser operative to evaluate said 

3 authentication data and a policy data store including predetermined policy data 

4 accessible by said policy parser. 

1 7. (Original) The network storage architecture of Claim 6 wherein said 

2 predetermined policy data, as evaluated by said policy parser, is determinative of 

3 said response message. 

1 8. (Currently Amended) A network storage architecture supporting securely 

2 controlled access and bidirectional transfer of data between a client computer 

3 system and a network data store, said network storage architecture comprising: 

4 a) an agent program, executed on a client computer system, responsive to 

5 a source file request issued with respect to a network data store by an application 

6 program executed by said client computer system, wherein a source file is stored 

7 by said network data store and wherein said source file request is a random 

8 read/write request specifying transfer of a first defined sub-portion of said source 

9 file^ said agent program being operative to develop authentication data with 

10 respect to said application program and to provide a file request message 

1 1 including a representation of said source file requestand said authentication data; 

12 and 

13 b) a network appliance, coupleable through a communications network to 

14 said client computer system and responsive to said file request message, said 

1 5 network appliance including a policy parser operative to evaluate said file request 

1 6 message and a policy data store including predetermined policy data accessible 

1 7 by said policy parser, said network appliance, responsive to the evaluation of said 

18 file request message, enabling performance of said source file request with 

1 9 respect to said network data store including transfer from said network data store 
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20 g second defined sub-portion of said source file inclusive of said first defined sub- 

21 portion of said source file . 



1 9. (Original) The network storage architecture of Claim 8 wherein said 

2 authentication data includes an authenticated identification of a user associated 

3 with said application program. 

1 10. (Original) The network storage architecture of Claim 9 wherein said 

2 authentication data includes user session and context data. 

1 11. (Original) The network storage architecture of Claim 10 wherein said 

2 authentication data includes a secure signature of said application program. 

1 12. (Currently Amended) The network storage architecture of Claim 8 wherein 

2 said network appliance enables the generation of a modified file request 

3 corresponding to said source file request and directed to said network data store^ 

4 said modified file request specifying transfer of said second defined sub-portion 

5 of said source file . 

1 13. (Original) The network storage architecture of Claim 1 2 further comprising 

2 a first communications network through which said file request message is 

3 received by said network appliance and a second communications network 

4 through which said modified file request is provided to said network data store. 

1 1 4. (Currently Amended) The network storage architecture of Claim 1 3 wherein 

2 said network appliance includes an encryption unit and wherein said network 

3 appliance further provides for the cipher processing of said second defined sub- 

4 portion of said source file as f i l e da ta transferred in connection with said modified 

5 file request such that said first sub-portion of said source file is encrypted as 

6 transferred to said network data store . 

1 15. (Original) The network storage architecture of Claim 14 wherein said policy 

2 data store further provides for the storage of an encryption key identifier 
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3 determinable by said policy parser on evaluation of said file request message and 

4 wherein said network appliance obtains an encryption key identified by said 

5 encryption key identifier for use in the cipher processing of file data transferred in 

6 connection with said modified file request. 

1 16. (Original) The network storage architecture of Claim 15 wherein said 

2 authentication data includes a process identifier, corresponding to said 

3 application program as executed on said client computer system, a verified user 

4 identifier, and a group identifier, and wherein said policy parser is operative to 

5 qualify said file request message against said predetermined policy data with 

6 respect to said process identifier, verified user identifier, and group identifier, 

1 1 7. (Currently Amended) A method of securing access by a client computer 

2 system to file data stored on a storage device accessible by said client computer 

3 system, said method comprising the steps of: 

4 a) intercepting, by a first program as executed on a client computer system, 

5 a data transfer request issued by a second program, as executed on said client 

6 computer system, directed to a data file stored by a client accessible file data 

7 store , wherein said data transfer request specifies transfer of a first sub-portion of 

8 said data file to said client accessible file data store: 



9 b) first processing, by said first program, said data transfer request to 

10 associate authentication data with said data transfer request; 

1 1 c) evaluating, by a security appliance coupled to said client computer 

12 system through a communications network, said data transfer request, said 

1 3 authentication data, and access control data corresponding to said data file to 

14 qualify said data transfer request; and 

15 d) second processing to selectively enable said data transfer request to 

16 proceed relative to said data file dependent on the qualification of said data 

1 7 transfer reques t, said second processing includina the steps of 

18 I) retrieving a second sub-portion of said data file: 

19 ii) decrypting said second sub-portion; 

20 iii) incorporating said first sub-portion into said second sub-portion; 

21 iv) encrypting said second sub-portion: and 
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22 v) transferring said second sub-portion to said client accessible file 

23 data store for incorporation into said data file . 



1 1 8. (Currently Anaended) The method of Claim 1 7 wherein said authentication 

2 data includes process and user context identification information. 

1 19. (Original) The method of Claim 17 wherein said authentication data 

2 includes a verified user identifier and a process identifier. 

1 20. (Original) The method of Claim 17 wherein said authentication data 

2 includes a verified user identifier, a process identifier, a group identifier. 

1 21. (Currently Amended) The method of Claim 17 wherein said data file 

2 includes file data that, as stored by said client accessible file data store, is stored 

3 as g plurality of discretely encrypted blocks, wherein said first and second sub- 

4 portions of said data file are respectively first and second sub-portions of the file 

5 data of said data file, wherein said data transfer request specifies a data range 

6 of file data and wherein said second processing step includes the step of 

7 modifying said data range to correspond to a sub-plurality of said discretely 

8 encrypted blocks defining said second sub-portion, thereby accommodating the 

9 gccomnio d ote block encryption of file data within said data file. 

1 22. (Original) The method of Claim 17 wherein said step of evaluating 

2 associates encryption control data with said data transfer request and wherein 

3 said second processing step, responsive to said encryption control data, includes 

4 cipher processing of file data transferred in connection with said data transfer 

5 request. 

1 23. (Original) The method of Claim 22 further comprising the steps of: 

2 a) first transferring said data transfer request to said security appliance 

3 through a first communications network; and 

4 b) second transferring said data transfer request relative to said client 

5 accessible file data store through a second communications network. 
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1 24. (Original) The method of Claim 23 wherein, through said first and second 

2 transferring steps, said security appliance is established a network portal through 

3 which network file accesses are routed between said client computer system and 

4 said client accessible file data store. 

1 25. (Currently Amended) A method of securing bidirectional file access 

2 operations by a client computer system made with respect to a client accessible 

3 file data store, said method comprising the steps of: 

4 o) intercepting, by a first program executing on a client computer system, 

5 file operation requests issued by a second program, as executing on said client 

6 computer system, wherein soid file operation requests are issued with respect to 

7 files selectively stored encrypted in a filesystem accessible by said client computer 

8 system; 

9 b) determining, by said first program relative to a predetermined file 

10 operation request, authentication data for said second program, wherein said 

1 1 authentication data includes user and process identification data and a 

12 representation of said predetermined file operation request; ond 

1 3 c) enabling, by a security appliance responsive to said authentication data, 

14 said predetermined file operation request with respect to a file identified by said 

1 5 predetermined file operation request, wherein said enabling step is dependent on 

1 6 qualification, by said security appliance, of said authentication data against policy 

17 data defining operation permissions relative to said file including a write 

18 operation permission to allow modification of said file as stored encrypted in said 

19 filesystem; and 

20 d) transferring predetermined encrypted blocks of file data representing a 

21 sub-portion of said file in response to said predetermined file operation request 

22 through a network connection where said predetermined encrypted blocks of file 

23 data are decrypted, modified, encrypted, and returned throuah said network 

24 connection for storage as part of said file . 
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1 26. (Currently Amended) The method of Claim 25 further comprising the steps 

2 of: 

3 a) associating an encryption key with said predetermined file operation 

4 request determined from the qualification of said authentication data against said 

5 policy data; and 

6 b) cipher processing, using said encryption key, said predetermined 

7 encrypted blocks of file data transferred relative to said file. 

1 27. (Currently Amended) The method of Claim 26 wherein sold predetermined 

2 file operation includes a specification of file data to be transferred and wherein 

3 said step of cipher processing includes modifying said the specification of said 

4 predetermined file operation request to correspond to sold predetermined 

5 encrypted blocks acc o mmod at e en cryp t i o n of file data transferred relative to said 

6 file. 

1 28. (Original) The method of Claim 27 wherein said step of cipher processing 

2 is performed on said security appliance. 

1 29. (Original) The method of Claim 28 wherein said authentication data 

2 includes a verified user identification and a login process identification. 

1 30. (Currently Amended) A security appliance for securing bidirectional access 

2 by client computer systems to persistently stored remotely encrypted data files, said 

3 security appliance comprising: 

4 a) a processor coupleable to a client computer system to receive an access 

5 request message, wherein said access request message includes authentication 

6 data and an identification of a random read/write file data transfer operation 

7 directed to an identified data file stored encrypted in a persistent data file store; 

8 and 

9 b) a policy data store, accessible by said processor, providing for the 

1 0 storage of predetermined file operation qualifiers applicable to data files present 

1 1 in said persistent data file store, wherein said policy data store is maintained 

1 2 secure by said processor with respect to said client computer system, and wherein 
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1 3 said processor is operative to selectively enable said random read/write file data 

14 transfer operation^ dependent on an evaluation of said predetermined file 

15 operation qualifiers with respect to said access request message to transfer an 

16 encrypted sub-portion of said identified data file through a network connection for 

17 remote decryption, modification and return through said network connection for 

18 storage as part of said identified data file . 

1 31 . (Original) The security appliance of Claim 30 wherein said authentication 

2 data includes a verified user identifier and a group identifier and wherein said 

3 processor is operative to discriminate said verified user identifiers, said group 

4 identifier, said file operation and said identified data file against said 

5 predetermined file operation qualifiers to obtain said evaluation. 

1 32. (Original) The security appliance of Claim 31 wherein said policy data 

2 store further provides for the storage of encryption keys in association with said 

3 predetermined file operation qualifiers and wherein said processor is operative to 

4 retrieve a predetermined encryption key from said policy data store dependent on 

5 said evaluation. 

1 33. (Currently Amended) The security appliance of Claim 32 wherein said 

2 processor, responsive to said evaluation, is further operative to provide for said 

3 file operation to be passed through said network connection to said persistent 

4 data file store. 

1 34. (Currently Amended) The security appliance of Claim 33 wherein said 

2 processor, responsive to said evaluation, is further operative to modify a 

3 specification of said random read/write file data transfer operation to encompass 

4 ac co mmodate the transfer of said encrypted sub-portion of said identified data 

5 file e n ciy pte d da t a i n c on n e c t io n wi t h the performance of said random read/write 

6 file data transfer operation with respect to said identified data file. 
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1 35. (Currently Amended) The security appliance of Claim 34 wherein said 

2 processor includes an encryption engine operative to process said encrypted sub- 

3 portion of said identified data file as e nc r y pt e d d at a transferred through said 

4 network connection wi t h r espec t t o s a i d id e n t ifi e d da ta fi le. 
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D. Amendments to the Drawings 

Drawing figure 12b has been amended to change the first occurrence of the reference 
numeral 386 (upper right) to read 366 . 
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